So let’s take a step back for a minute. I remember having a discussion three years ago with some consultants who were telling me at the time that, “2004 is the year of identity management!” When it didn’t materialize, 2005 become the new “year of IdM”. And then 2006.I’m still waiting.But there are indications on the horizon that this year, finally, may actually be the year that IdM takes off and becomes more widely adopted. I really attribute this shift to two factors: Regulation: the explosion in government and industry regulation that require organizations to maintain better control over their enterprises – and then be able to prove that those controls are in place – has been a massive driver that is leading to more widespread adoption of IdM solutions. Technology: implementing an enterprise IdM solution has never been an easy undertaking, but key vendors in the identity management space, like Novell, Sun, Entrust, IBM, Microsoft and Oracle, are making it less painful. Add to this the functionality that allows integration of access control systems for both digital and physical assets, and the business case starts to have some great benefits. Companies like HID and Imprivata offer solutions in this space. So in the case of identity management, technology and regulation have partnered to finally drive adoption of a security solution that most of us believe should have been adopted years ago. While I suppose that is a good thing I do believe it points out a basic flaw in how businesses manage enterprise risk. When you allow government or industry regulation to define your organization’s risk management strategy, you are allowing them to define what risk is for your business rather than undertaking a proper review of threats and their impacts that would translate into an accurate risk assessment. In other words: you become more reactive instead of proactive. I don’t kid myself and I hope you understanding where I am coming form here. I understand how difficult it is to fight for the resources you need to secure your enterprise, and in a perfect world businesses would base their security investment on a thorough risk assessment. While regulations offer an easier way to get the resources necessary, that often results in sidestepping a thorough evaluation, which I’d argue should be done anyway and actually should be the primary methodology for determining your organization’s risk profile. Maybe it’s an issue of communication: it’s easier to tell corporate management that “we have to do something” as opposed to “we should do something.” Do you agree? Please let me know. Related content opinion Don’t let social media get you in trouble As social media has become more pervasive, it has run headlong into the inevitable intersection between our personal lives and our work lives. How to best manage that intersection is something everyone should understand. By Bob Bragdon Jan 14, 2019 4 mins Privacy Security opinion Remember: It’s not all about the 1s and 0s Don't forget the role of physical security in protecting your assets...even the digital ones By Bob Bragdon Nov 07, 2018 4 mins Physical Security Security opinion The rolling tide that is GDPR … say hello to the CCPA Think you dodged the GDPR bullet because you’re not in Europe? Guess again. California just brought that home for millions of businesses. By Bob Bragdon Aug 01, 2018 4 mins Regulation Compliance Privacy opinion The story of Mary Good information security isn't just about the 1s and 0s By Bob Bragdon Jun 20, 2018 4 mins Data and Information Security Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe